Examples with AdminPermissionEvaluator org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator used on opensource projects

Search in sources :

Example 1 with AdminPermissionEvaluator

use of org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator in project keycloak by keycloak.

the class RealmsAdminResource method getRealmAdmin.

/**
 * Base path for the admin REST API for one particular realm.
 *
 * @param headers
 * @param name realm name (not id!)
 * @return
 */
@Path("{realm}")
public RealmAdminResource getRealmAdmin(@Context final HttpHeaders headers, @PathParam("realm") final String name) {
    RealmManager realmManager = new RealmManager(session);
    RealmModel realm = realmManager.getRealmByName(name);
    if (realm == null)
        throw new NotFoundException("Realm not found.");
    if (!auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm()) && !auth.getRealm().equals(realm)) {
        throw new ForbiddenException();
    }
    AdminPermissionEvaluator realmAuth = AdminPermissions.evaluator(session, realm, auth);
    AdminEventBuilder adminEvent = new AdminEventBuilder(realm, auth, session, clientConnection);
    session.getContext().setRealm(realm);
    RealmAdminResource adminResource = new RealmAdminResource(realmAuth, realm, tokenManager, adminEvent);
    ResteasyProviderFactory.getInstance().injectProperties(adminResource);
    // resourceContext.initResource(adminResource);
    return adminResource;
}
Also used : RealmModel(org.keycloak.models.RealmModel) ForbiddenException(org.keycloak.services.ForbiddenException) NotFoundException(javax.ws.rs.NotFoundException) RealmManager(org.keycloak.services.managers.RealmManager) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator) Path(javax.ws.rs.Path)

Example 2 with AdminPermissionEvaluator

use of org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator in project keycloak by keycloak.

the class FineGrainAdminUnitTest method evaluateLocally.

public static void evaluateLocally(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel realmRole = realm.getRole("realm-role");
    RoleModel realmRole2 = realm.getRole("realm-role2");
    ClientModel client = realm.getClientByClientId(CLIENT_NAME);
    RoleModel clientRole = client.getRole("client-role");
    // test authorized
    {
        UserModel user = session.users().getUserByUsername(realm, "authorized");
        AdminPermissionEvaluator permissionsForAdmin = AdminPermissions.evaluator(session, realm, realm, user);
        Assert.assertTrue(permissionsForAdmin.users().canManage());
        Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole));
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole2));
        Assert.assertTrue(permissionsForAdmin.roles().canMapRole(clientRole));
    }
    // test composite role
    {
        UserModel user = session.users().getUserByUsername(realm, "authorizedComposite");
        AdminPermissionEvaluator permissionsForAdmin = AdminPermissions.evaluator(session, realm, realm, user);
        Assert.assertTrue(permissionsForAdmin.users().canManage());
        Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole));
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole2));
        Assert.assertTrue(permissionsForAdmin.roles().canMapRole(clientRole));
    }
    // test unauthorized
    {
        UserModel user = session.users().getUserByUsername(realm, "unauthorized");
        AdminPermissionEvaluator permissionsForAdmin = AdminPermissions.evaluator(session, realm, realm, user);
        Assert.assertFalse(permissionsForAdmin.users().canManage());
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole));
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(clientRole));
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole2));
    }
    // test unauthorized mapper
    {
        UserModel user = session.users().getUserByUsername(realm, "unauthorizedMapper");
        AdminPermissionEvaluator permissionsForAdmin = AdminPermissions.evaluator(session, realm, realm, user);
        Assert.assertTrue(permissionsForAdmin.users().canManage());
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole));
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(clientRole));
        // will result to true because realmRole2 does not have any policies attached to this permission
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole2));
    }
    // test group management
    {
        UserModel admin = session.users().getUserByUsername(realm, "groupManager");
        AdminPermissionEvaluator permissionsForAdmin = AdminPermissions.evaluator(session, realm, realm, admin);
        UserModel user = session.users().getUserByUsername(realm, "authorized");
        Assert.assertFalse(permissionsForAdmin.users().canManage(user));
        Assert.assertFalse(permissionsForAdmin.users().canView(user));
        UserModel member = session.users().getUserByUsername(realm, "groupMember");
        Assert.assertTrue(permissionsForAdmin.users().canManage(member));
        Assert.assertTrue(permissionsForAdmin.users().canManageGroupMembership(member));
        Assert.assertTrue(permissionsForAdmin.users().canView(member));
        Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole));
        Assert.assertTrue(permissionsForAdmin.roles().canMapRole(clientRole));
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole2));
    }
    // test client.mapRoles
    {
        UserModel admin = session.users().getUserByUsername(realm, "clientMapper");
        AdminPermissionEvaluator permissionsForAdmin = AdminPermissions.evaluator(session, realm, realm, admin);
        UserModel user = session.users().getUserByUsername(realm, "authorized");
        Assert.assertTrue(permissionsForAdmin.users().canManage(user));
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole));
        Assert.assertTrue(permissionsForAdmin.roles().canMapRole(clientRole));
        Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole2));
    }
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) RoleModel(org.keycloak.models.RoleModel) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator)

Aggregations

RealmModel (org.keycloak.models.RealmModel)2 AdminPermissionEvaluator (org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator)2 NotFoundException (javax.ws.rs.NotFoundException)1 Path (javax.ws.rs.Path)1 ClientModel (org.keycloak.models.ClientModel)1 RoleModel (org.keycloak.models.RoleModel)1 UserModel (org.keycloak.models.UserModel)1 ForbiddenException (org.keycloak.services.ForbiddenException)1 RealmManager (org.keycloak.services.managers.RealmManager)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial